Malware Analysis Report

2024-10-23 20:08

Sample ID 240810-thhfeawhlr
Target GeoIP.dat.exe
SHA256 ca0ca21d2dae0588f4ab2a83e1c68f49eed195fd88d61ec2be2d7445a9095d22
Tags
darkcomet guest16 discovery rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca0ca21d2dae0588f4ab2a83e1c68f49eed195fd88d61ec2be2d7445a9095d22

Threat Level: Known bad

The file GeoIP.dat.exe was found to be: Known bad.

Malicious Activity Summary

darkcomet guest16 discovery rat trojan

Darkcomet family

Darkcomet

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-10 16:03

Signatures

Darkcomet family

darkcomet

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-10 16:03

Reported

2024-08-10 16:06

Platform

win10-20240611-en

Max time kernel

146s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe"

Signatures

Darkcomet

trojan rat darkcomet

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe

"C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe"

C:\Windows\System32\DataExchangeHost.exe

C:\Windows\System32\DataExchangeHost.exe -Embedding

Network

Country Destination Domain Proto
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/4156-0-0x0000000002310000-0x0000000002311000-memory.dmp

memory/4156-1-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4156-3-0x0000000002310000-0x0000000002311000-memory.dmp

memory/4156-16-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\Desktop\ResolveCompress.xltm

MD5 377fe264cfcee1cdbfd6adb8c7375bb4
SHA1 6c782adea9723ef6cec96acbc74d2e88415a05ba
SHA256 219306b805ef93ee52c0cc7f801b0b48629f19e9622cb54eedfde68a42625dc2
SHA512 9842755e2e376dae31a1fd27f08c95f5e5a6d7a2c2d0f9b3a58c2ca3180567822ef7c0bd612134ddb9a0093b4021e7b3e24ac06a899bca47face032173ea5301

C:\Users\Admin\Desktop\TraceClear.001

MD5 8432cf94420d9b42a93e61ef6a23e49f
SHA1 f65e41ae03cdf109c175f739f26e8d5d29547e07
SHA256 c97b7c06cff104e5c73b75bca04980a875b705758b27f53057ffa4f0f23fb995
SHA512 8a79da70764e36c36aa7f2f4e777e42a8d1b34c1310152822c77c72b821a38f2fbe2616f549f4420d696da9e753ac561e28c3aad37f935ce06e28e451d8fa467

C:\Users\Admin\Desktop\StartExport.bmp

MD5 16ecc1ceac7aee5d407ecbbcf199a9ab
SHA1 9f07dc9aa07bee8a0cbbeda04ab8bf32e64ec29a
SHA256 1a3bc200cd92e8ef5ab7325229e6bb614eb1bf090793e7df78f28f911296961a
SHA512 51d8ec01409861cdfabf4327ce0ef3a67d24428fc61f814ae287ec48e9801fad366340e40fe3c7d31179e6b18e52825adb8078a40ccfc7923b723447465d43e2

C:\Users\Admin\Desktop\SplitPing.aif

MD5 e5679f40583f5c551877eda26e7df384
SHA1 297055518c84c8cdfcd52ab37801c1a0086ba81a
SHA256 5f96d54fc20ddaa10a3fe4a11fb1e8ff9a02ce09eab6fe37bb5e15f2c9a7578d
SHA512 ada811885d5b2c4683cf1c6dcf094482c939057b0bb48d8b66292d4991f5de186b8b0f5330b79a39f1cda8ceb876ac121917eb1adf23febbf5f6938312e306c2

C:\Users\Admin\Desktop\SetPop.pptx

MD5 e7171eaf64bc7bdef4e6ad6818f4fee3
SHA1 93e10c4ff478a897cfd4ae9c1971f0374976882d
SHA256 32d6da9398182621ed44d01674fde90fc4ad122c78d7c9765988917762bd4160
SHA512 b4a2d3ec7d495269cd3de7658412b4f2db1ac1300b8c381e9069f92d8bc6fb4cc3ba74272e0fa5b8181f7ca4662d19389aafab45ac9e68613dd4c0d8b47f93c6

C:\Users\Admin\Desktop\RevokeUnprotect.midi

MD5 b91b107f90f1270bf5030498f2bcdcb7
SHA1 90c5730c70cce85733b10466e1a01f3ffc5f0678
SHA256 9a14a455a25ce21cb1babb5e6202303a42234173f042de7b5e11515d03cc2389
SHA512 5846e4d918f24bed7bd48a8e7369b4afdbf430b0773739c8224974d296bb3f85aab68fc14cf3225a65661689eb2e825f65d54992046eec4f741e06e01a3d5881

C:\Users\Admin\Desktop\ResumeGroup.m1v

MD5 df6e02e7ad9dbef70b698a4b75c75bf4
SHA1 6334228adae92b2f620f4083285c3428e1d57461
SHA256 9b31cbf0d7ddb4d4646e6005839af6fd2e3372631ee6bbd768634d2727fc6865
SHA512 799e49f48069fa256a5e1b71fa45f2fab4dd62c4e251263b75ab5f536f7d437d870992206dba9d6ea4934fedc0e7eafba063e52f39f873fa8ea78b6ad3b99903

C:\Users\Admin\Desktop\UnregisterHide.pub

MD5 e19ead919ec0d7067060e70d72f522c3
SHA1 e41a788387cf666d8cfaa0af53c832937caec5fe
SHA256 fc875535e3c8fc16229e1a54eef027122b04d618cc6f43d9441bcaab463438c1
SHA512 6032bc8f1c3a1416229b06b76345d15c34b2d523125105ebb108f8c09ed7a0824afeb98c6860a845f618a44398bd033384925a03d810d639febbb7d96f456d34

C:\Users\Admin\Desktop\ConfirmCompare.mpg

MD5 fc1a9fe4e0bbe4300bca5898007e1b6f
SHA1 8fc589e9da845015ada24386d18384237024b39d
SHA256 6f1811a2c098cf4b6a536c686e5f78b630b9dada4a0c64e9859cdb3c29455750
SHA512 00cb3a784a2532dccb811727d490bf7735ac741de891d5bced9149be04de8d7e0ae1e9c7b2ae2a85371fdfcc48794b7b155b343ea4fdc3d999407ffc383685b1

C:\Users\Admin\Desktop\DismountRead.wm

MD5 b5e4695b905dd5c711535e05f034aee2
SHA1 38854c3601c4132e624629e41168b6d7eb9ec5c5
SHA256 9557e559bdf36ce8ca15b677aa9978912a9a16cf05864161db6477cb9ea9337f
SHA512 3fe496a45109bc5aa4bdeccaee29777681be3b0d671a460346d35f40f148fd9cb4e6f664fa6b0112d482559ef93915926869bfc097c00e9d4f3102bf33d736c2

C:\Users\Admin\Desktop\DebugOpen.vbs

MD5 e850e1476faeea48e3f69544a8f7a87e
SHA1 0a97e460f926889ecd43d3982d73f06025faf3b8
SHA256 4c85893a754ffe24304ea074f779380cca71d0a96b61c53c98318ecedc0721df
SHA512 cffab3fb45056a9d93d18604349f6f043e580f39760a4e6afa5cdb2e671dd4be518d172229fbd2570f725c42cd23b3630982c46eeb0d32b0ea6cf0f9d3e9764c

C:\Users\Admin\Desktop\ExportWrite.wvx

MD5 c0690398ec857a032c36ef8875b559ed
SHA1 ea8954bc6bff1b2530527f4e9ace772ef87086a9
SHA256 78bd8bd8c58d52aacf644d4595677937893a41de4178977998029a916ba24c7d
SHA512 c62af79e568bb9d6caa941016a6a6f0e7f49fce9abd37ea99c6eae5da5dc61f7c317b3d6e06d9d742defd42bf15b6b4e75a8b5fcaa4c5d217ac215cf54800bdc

C:\Users\Admin\Desktop\JoinOut.odp

MD5 855d166542c222fe8a220924c73ef184
SHA1 8c6165a12a3edb31b821bbac12f0463d9f14312d
SHA256 1f5786268b8cd3da51ad86e419b49a0ec01f217c389bbb54d1793ab6d74edcfe
SHA512 ee3fa6238d21f9f63c2604d5945ead52da4cce7ae412e566edfdfeac4ccc5601411ec1e1a79804602c0f7a3256e2c433767d7c8fe77a6a16306e5d61463423e0

C:\Users\Admin\Desktop\OutImport.wmv

MD5 1cc8f4f9436b3a273195c1f5049c4601
SHA1 693b596e295da459d1f687d69db28d74ae869307
SHA256 18eb031a1d6f4ef2701d7153802cbee02119f034db89c0447c47a430700aa0f5
SHA512 2a99cfe3bf250829741a3baf5f4f19488b5e5c815d69a209853bb7b9756ffd7a6599a7e9123e719c64486f4f7577834eb36dc13b8733b2a83f7577f6e8285e93

C:\Users\Admin\Desktop\UnregisterLimit.svg

MD5 2d9f1e301a47cfd7f2f041ca59056eae
SHA1 3ca5f428c650511380d84e711b55b6f46d8b4acf
SHA256 6c34dd08f11b98ca3e99867e8e5427af712546ff7199094202e1f453a17f66a8
SHA512 beb96fafb1d04beafc2232b6f58381fd8473631f26a5bf6fb30fa608942eb9224d6853e15b25d03bac860d0b235e378123fb4b0fece4f257f52359cdf9ea1562

C:\Users\Admin\Desktop\StartCompare.wav

MD5 214f24f121ec1e1344ab1d02258c47c1
SHA1 ec237d8304da048243a2daa41aab0d3bee41b0af
SHA256 1481bfeae50ec98f4f4f706c1ca506e5e8efe52a73fe8ec31456024c593e26e9
SHA512 188a462707c57495f7f3f40911c11238e273cfdae6459e39f3dac84e6f2671f9d2942567e477bc47464d456c3cc69580887e781d4dbd546aac9b43b3aacf6b1d

C:\Users\Admin\Desktop\StartCompare.tiff

MD5 014225827862358aa6c29ec6ac1663ca
SHA1 43812b84eec73e27a47d4e7723cad3e926c17de8
SHA256 0001f6bc45fdae8becf2f880e4e2b087a34341b4b4bad34c59a29d7041974c63
SHA512 7d842ee612a71ff6f2bedd6e735ffa7712774cd0568e866b4a08d57e3d4d9ace6d596eb56b86263dcbf1c0803809f67451c469d0cf4ad7da72f75a71b9586aab

C:\Users\Admin\Desktop\SelectRequest.ps1

MD5 9ca2530a7bd34b2fa0d8707e13cbef8f
SHA1 e99b1e24cdbd2ab11da2876299f38499d1da5e43
SHA256 805b9bcca3839294ec0f65879a18b39e4fcb917f89a5492fbe009d4735853e2c
SHA512 d33b66388fbab61eb5881d8c03b9330de8e8fc5327d3a7c7c44a201b8ca0d2124bdee18b9d6961266a80fd7129559e097d728757de3a45969f5dde7e3c563374

C:\Users\Admin\Desktop\ResetClose.wmx

MD5 88957384243c4e4b26342a407ba069c4
SHA1 66219781d7ecdd057da52234b4cb727d28784a19
SHA256 549bc194c0d80103ce254405aba467a2ce3afd50a25f45a13e03e5ef34984955
SHA512 a1b27c6319394a398a79dba7cc66d8b545fcb7ea0781614568e48669189a6358abbfb33eb6a61fcc946fd57a0fd1599e412b176951e5751f681e2f3cea74044b

C:\Users\Admin\Desktop\RedoSubmit.xltm

MD5 af5e875bd5a108de6c881237c2ed9c3c
SHA1 8bd25d9e5aa7019f360cc24eb96ab83f92af3bdf
SHA256 24b18341dd2c02779e333732faf5647b2079500e896d1c58aa6ea470e173bf15
SHA512 35f701357ff32f5b37448753cd1d5ac5d7aefa14d167c673c0770f72e39f4327c5ea0e32e0ef3f6bf502c4a4b61ebc4fcf651fbd1512ecbc704545c2d4890214

C:\Users\Admin\Desktop\OpenCompress.au3

MD5 b5dea194bb43193390b1c9103b4a732e
SHA1 cd4607514f7770b03c46b2d08acaab1165711b57
SHA256 acb610ed2684d3d0fae797eb4d545c0439ddfaafc7a565ae8639e68f872b7d50
SHA512 45f04a2900d1c9fa54009bafa25cd26cd919b91684be3aae12452ce2a3d152b57ba72ce8b9d5374a25ecfed267ed27aacb368f8298832a4a2e4ef37fccb257d9

C:\Users\Admin\Desktop\PingConnect.vsx

MD5 c47b299befdfa21d58f91bac72d96de1
SHA1 a40803a933879de0832c29201c5bcb6b252e6189
SHA256 d3e134dbd33fa461610cb3495eaee3e55f43a7cf66a592a7ddf9164fd0953ec9
SHA512 e724b1d2ed7c9ad144514627a2c63138552399e101914fa66ef5331e7ed42c0b811125a880f6a52879778b5f196dff2f38e6fce12bdd815eebf2fc8533cd6541

C:\Users\Admin\Desktop\HideSkip.mpeg3

MD5 3490fd006a30294ab88a8f94f9c73de1
SHA1 6258539be375b0f879adea1bdce14fcd66a932b3
SHA256 b60a005d9244509f089663e3fbb4d3a4c7218861579b3f88db2b198021bc64cd
SHA512 dff505f254f2dda01d17fcb4dfd342492660c96eeeeda2c9a8b876d402645d4e9209206c05d042b5074264015844fcc4b3b4619aa6ca30dbfc1a546e5c10b0b6

C:\Users\Admin\Desktop\EditShow.mpa

MD5 e14951168f9383004c87210dde4445f1
SHA1 c0799dff0f90c38939333f50f07ddcc35b2017e1
SHA256 c7f98fe6a2dbc1f2496e036c364df1c1062de43c054d12461df80a3bdb72df5d
SHA512 245f52a1de17bd99c40dd7d1f4114bbb71f05d6857d71eea66b38ac33217b3ed604e004af0dbb8e79f211e89089e2dc08f9bc55f42d6750f89db2873d3242b85

C:\Users\Admin\Desktop\ConvertToCopy.asx

MD5 26847010e60a1c94e26e750e4079ba76
SHA1 96aee5c06d51c8aaae6354720a9743673d59716c
SHA256 d04250913e102e8dd9452b7ac0a50b756f0c0d3d6c080773faa65f01a576d00a
SHA512 09fde30f4e3c1dab8f0f313ded304e19206dc8ec6f401fd2a3f20c10e4b956f204cf9cd712a7feaef9084f47bc0082a987a1a1d4316abc63a44d2e7b4050dd79

C:\Users\Admin\Desktop\UpdateApprove.dxf

MD5 749e66ca058e0c83dd8f25ef6eae8e5f
SHA1 06bdf9d305afc4a8a016c081db395eaf2eb764a6
SHA256 4a164882964e837656937e70ebe75525f0cedabfa14678bd59c0316298361d99
SHA512 0d2dbe279d869f462f71026d2999766f2a87191f9a5b84abf1e3c0144c289f17046f68e8448bb5bcab193a8d3f86d3b7d5c12b769a776a7cc689e26a63fe8c95

memory/4156-51-0x0000000000400000-0x00000000004B2000-memory.dmp